Mitigating DDoS Attacks

Reduce Attack Surface Area

Limit the options for attackers and allowing you to build protections in a single place.
For example, the application and database should not be on the same server and you can do this with services such as: SQS and Elastic BeanStalk.

Transit capacity - Make sure your hosting provider provides ample redundant Internet connectivity that allows you to handle large volumes of traffic.
Server capacity - Most DDoS attacks are volumetric attacks that use up a lot of resources, so it is important that you can quickly scale up or down on your computation resources.
For example, whenever CPU load is more than 70% in Application servers, automatically add one more Application server to meet the needs and you can do this with services such as: Elastic Load Balancer (ELB) and Auto Scaling.

More advanced protection techniques can go one step further and intelligently only accept traffic that is legitimate by analysing the individual packets themselves.
To do this, you need to understand the characteristics of good traffic that the target usually receives and be able to compare each packet against this baseline.
For example, a website getting a huge surge in traffic in the middle of the night at 3 AM and you can do this with services such as: CloudWatch and SNS.

Create customized mitigations against illegitimate requests which could have common characteristics like disguising as good traffic or coming from bad IPs, unexpected geographies, etc.
At times it might also be helpful in mitigating attacks as they happen to get experienced support to study traffic patterns and create customized protections.
It is recommended to have at least AWS Business Support.

Last updated 4 years ago

Was this helpful?